Bug 856155 - perl-LDAP fails GSSAPI authentication
perl-LDAP fails GSSAPI authentication
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: perl-LDAP (Show other bugs)
6.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: perl-maint-list
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-11 06:32 EDT by Marko Myllynen
Modified: 2012-09-12 04:19 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-12 04:19:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CPAN 58478 None None None 2012-09-12 03:12:45 EDT

  None (edit)
Description Marko Myllynen 2012-09-11 06:32:02 EDT
Description of problem:
On a system in a domain/realm where all of kinit / ldapsearch -Y GSSAPI / net ads join -k / etc. work as expected the following the Perl script fails:

$ cat test.pl
#!/usr/bin/perl

use Net::LDAP;
use Authen::SASL;

my $server = 'server.example.com';
my $sasl = Authen::SASL->new(mechanism => 'GSSAPI');
my $ldap = Net::LDAP->new($server) or die $@;
my $res = $ldap->bind(sasl => $sasl);
print $res->error_text;
print $sasl->error;
$ldap->unbind;
$ perl test.pl
An error occurred in C<Net::LDAP>
GSSAPI Error (init): Unspecified GSS failure.  Minor error code may provide more information
Cannot determine realm for numeric host address

It would seem that this cannot possibly work if numeric IP address is used in LDAP.pm for connection as it currently happens.

There is a related Debian bug at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573596 about the same issue.

CC'ing Alexander who already investigated this.

Version-Release number of selected component (if applicable):
RHEL 6.3 / perl-LDAP-0.40.1.el6
Comment 2 Petr Pisar 2012-09-12 03:12:45 EDT
This is the famous story about hostname canonicalization which I've seen in other projects too.

Debian decided not to fix it because, according to upstream, it would break other (MIT) users and recommended way is to pass result of Authen::SASL->new(mechanism => 'GSSAPI')->client_new('ldap', $server) to NET::LDAP::bind().

Does this change in your application fix this problem for you?
Comment 3 Marko Myllynen 2012-09-12 04:19:10 EDT
(In reply to comment #2)
> This is the famous story about hostname canonicalization which I've seen in
> other projects too.

Very (in)famous indeed :)

> Debian decided not to fix it because, according to upstream, it would break
> other (MIT) users and recommended way is to pass result of
> Authen::SASL->new(mechanism => 'GSSAPI')->client_new('ldap', $server) to
> NET::LDAP::bind().
> 
> Does this change in your application fix this problem for you?

Yes, it does, thanks a lot for the tip!

Closing in the hope this answer will find its way to the top of the search results..

Note You need to log in before you can comment on or make changes to this bug.